b'                                         July 12, 2007\n\n\n\n\nMEMORANDUM TO:             Luis A. Reyes\n                           Executive Director for Operations\n\n\n\nFROM:                      Stephen D. Dingbaum /RA/\n                           Assistant Inspector General for Audits\n\n\nSUBJECT:                   AUDIT OF NRC\xe2\x80\x99S NON-CAPITALIZED PROPERTY\n                           (OIG-07-A-14)\n\n\nAttached is the Office of the Inspector General\xe2\x80\x99s (OIG) report titled, Audit of NRC\xe2\x80\x99s Non-\nCapitalized Property.\n\nThis report presents the results of the subject audit. Agency comments provided at the\nexit conference on June 26, 2007, have been incorporated, as appropriate, into this\nreport. The agency did not provide formal comments.\n\nPlease provide information on actions taken or planned on each of the\nrecommendations within 30 days of the date of this memorandum. Actions taken or\nplanned are subject to OIG follow up as stated in Management Directive 6.1.\n\nWe appreciate the cooperation extended to us by members of your staff during the\naudit. If you have any questions or comments about our report, please contact me at\n415-5915, or Steven Zane at 415-5912.\n\nAttachment: As stated\n\ncc:   V. Ordaz, OEDO\n      M. Malloy, OEDO\n      P. Tressler, OEDO\n\x0cElectronic Distribution\n\nFrank P. Gillespie, Executive Director, Advisory Committee on Reactor\n Safeguards/Advisory Committee on Nuclear Waste\nE. Roy Hawkens, Chief Administrative Judge, Atomic Safety and\n Licensing Board Panel\nKaren D. Cyr, General Counsel\nJohn F. Cordes, Jr., Director, Office of Commission Appellate Adjudication\nWilliam M. McCabe, Chief Financial Officer\nJanice Dunn Lee, Director, Office of International Programs\nRebecca L. Schmidt, Director, Office of Congressional Affairs\nEliot B. Brenner, Director, Office of Public Affairs\nAnnette Vietti-Cook, Secretary of the Commission\nLuis A. Reyes, Executive Director for Operations\nWilliam F. Kane, Deputy Executive Director for Reactor\n and Preparedness Programs, OEDO\nMartin J. Virgilio, Deputy Executive Director for Materials, Waste, Research,\n State, Tribal, and Compliance Programs, OEDO\nDarren B. Ash, Deputy Executive Director for Information Services\n and Chief Information Officer, OEDO\nVonna L. Ordaz, Assistant for Operations, OEDO\nTimothy F. Hagan, Director, Office of Administration\nCynthia A. Carpenter, Director, Office of Enforcement\nCharles L. Miller, Director, Office of Federal and State Materials\n and Environmental Management Programs\nGuy P. Caputo, Director, Office of Investigations\nEdward T. Baker, Director, Office of Information Services\nJames F. McDermott, Director, Office of Human Resources\nR. William Borchardt, Director, Office of New Reactors\nMichael F. Weber, Director, Office of Nuclear Material Safety and Safeguards\nJames E. Dyer, Director, Office of Nuclear Reactor Regulation\nBrian W. Sheron, Director, Office of Nuclear Regulatory Research\nCorenthis B. Kelley, Director, Office of Small Business and Civil Rights\nRoy P. Zimmerman, Director, Office of Nuclear Security and Incident Response\nSamuel J. Collins, Regional Administrator, Region I\nWilliam D. Travers, Regional Administrator, Region II\nJames L. Caldwell, Regional Administrator, Region III\nBruce S. Mallett, Regional Administrator, Region IV\n\x0c                     AUDIT REPORT\n\n\n                   Audit of NRC\xe2\x80\x99s Non-Capitalized Property\n\n                         OIG-07-A-14     July 12, 2007\n\n\n\n\nAll publicly available OIG reports (including this report) are accessible through\n                              NRC\xe2\x80\x99s Web site at:\n             http:/www.nrc.gov/reading-rm/doc-collections/insp-gen/\n\x0c                                                                    Audit of NRC\xe2\x80\x99s Non-Capitalized Property\n\n\n\nEXECUTIVE SUMMARY\n\n                  BACKGROUND\n\n                  The Nuclear Regulatory Commission (NRC) has an established\n                  property management program to account for and control property.1\n                  Property management encompasses both capitalized2 and non-\n                  capitalized3 property. This report focuses on NRC\xe2\x80\x99s program to\n                  account for and control non-capitalized property. As of June 2006,\n                  non-capitalized property was comprised of almost 16,000 pieces of\n                  equipment costing approximately $26 million.\n\n                  The Space Planning and Property Management Branch (Property\n                  Branch), Division of Facilities and Security, is currently responsible\n                  for developing and administering the agency\'s property\n                  management program, including the Space and Property\n                  Management System (SPMS). Since March 1999, NRC\n                  management has moved this responsibility to three different\n                  divisions.\n\n                  PURPOSE\n\n                  This audit was conducted to determine whether NRC has\n                  established and implemented an effective system of management\n                  controls for maintaining accountability and control of non-\n                  capitalized property.\n\n                  RESULTS OF AUDIT\n\n                  While NRC\xe2\x80\x99s property management policies for non-capitalized\n                  property provide a framework to control and safeguard property, the\n                  program, as implemented, needs improvement to provide effective\n                  control. Specifically:\n\n\n\n\n1\n  Management Directive 13.1, Property Management, defines government personal property as any\nequipment, furniture, or supply items that are owned, leased, borrowed, donated, forfeited, or transferred\nfrom another Federal agency, purchased with NRC funds, or otherwise in the possession or control of the\nNRC.\n2\n  Management Directive 13.1 defines capitalized property as any NRC-purchased property with an initial\nacquisition cost of $50,000 or more.\n3\n  Management Directive 13.1 defines non-capitalized property as NRC property with an initial acquisition\ncost of less than $50,000.\n                                                      i\n\x0c                                                                        Audit of NRC\xe2\x80\x99s Non-Capitalized Property\n\n\n\n                   A.        SPMS data is not accurate;\n\n                   B.        Controls for Information Technology (IT) property that may\n                             contain personally identifiable information (PII) 4 are lacking;\n\n                   C.        Physical security deficiencies exist; and\n\n                   D.        The policy for notifying Office of the Inspector General (OIG)\n                             of missing property needs improvement.\n\n                   In light of NRC\xe2\x80\x99s imminent growth in full-time equivalents (FTE),\n                   and anticipated office relocations, it is increasingly important that\n                   NRC maintain effective and efficient accounting and control over\n                   non-capitalized property. Therefore, now is an opportune time for\n                   NRC management to increase accountability for, and improve\n                   control of, the property management program. An effective and\n                   efficient property management program is essential to assure that\n                   staff have the property needed to carry out their duties and assure\n                   optimum utilization of staff time, property and fiscal resources.\n\n                   RECOMMENDATIONS\n\n                   This report makes recommendations to the Executive Director for\n                   Operations to help NRC strengthen the effectiveness of\n                   management controls with respect to maintaining accountability\n                   and control of non-capitalized property. This report also\n                   recommends that the threshold for accountable non-sensitive\n                   property5 be raised so that property custodians can focus on\n                   maintaining accurate and reliable property records for sensitive and\n                   more expensive items.\n\n                   AGENCY COMMENTS\n\n                   At an exit conference held on June 26, 2007, agency managers\n                   generally agreed with the audit findings and recommendations and\n                   provided comments concerning the draft audit report. We modified\n                   the report in response to the comments, as we deemed\n                   appropriate. NRC reviewed these modifications and opted not to\n                   submit formal written comments for the final version of this report.\n\n\n\n4\n  "Personally Identifiable Information (PII)" represents information about an individual that can be used to\ndistinguish or trace a person\xe2\x80\x99s identity (e.g., Social Security Number, Date and Place of Birth, Mother\xe2\x80\x99s\nMaiden Name, etc.).\n5\n  MD 13.1 defines accountable property as any equipment, excluding furniture and supplies, that is complete\nin itself, is of a durable nature with an expected life of 2 years or more, does not ordinarily lose its identity or\nbecomes a component of another article, and is not consumed in its useful life. Accountable property is\nclassified either as \xe2\x80\x9csensitive\xe2\x80\x9d or as \xe2\x80\x9cnon-sensitive.\xe2\x80\x9d Footnote 9 defines sensitive property.\n                                                         ii\n\x0c                                          Audit of NRC\xe2\x80\x99s Non-Capitalized Property\n\n\n\nABBREVIATIONS AND ACRONYMS\n\n       ADM               Office of Administration\n\n       FTE               Full-Time Equivalent\n\n       FY                Fiscal Year\n\n       GAO               Government Accountability Office\n\n       IT                Information Technology\n\n       JFMIP             Joint Financial Management Improvement\n                         Program\n\n       MD                Management Directive\n\n       NRC               Nuclear Regulatory Commission\n\n       OIG               Office of the Inspector General\n\n       OIS               Office of Information Services\n\n       OMB               Office of Management and Budget\n\n       PII               Personally Identifiable Information\n\n       SPMS              Space and Property Management System\n\n       Property Branch   Space Planning and Property Management\n                         Branch\n\n\n\n\n                               iii\n\x0c                           Audit of NRC\xe2\x80\x99s Non-Capitalized Property\n\n\n\n\n[Page intentionally left blank.]\n\n\n\n\n               iv\n\x0c                                                                     Audit of NRC\xe2\x80\x99s Non-Capitalized Property\n\n\n\nTABLE OF CONTENTS\n\n    EXECUTIVE SUMMARY.............................................................................. i\n    ABBREVIATIONS AND ACRONYMS .......................................................... iii\n    I.       BACKGROUND ................................................................................... 1\n    II.      PURPOSE............................................................................................ 4\n    III.     FINDINGS ............................................................................................ 5\n           A. SPMS DATA IS NOT ACCURATE ............................................................ 5\n\n           B. CONTROLS FOR INFORMATION TECHNOLOGY (IT) PROPERTY THAT MAY\n              CONTAIN PERSONALLY IDENTIFIABLE INFORMATION (PII)\n              ARE LACKING ....................................................................................... 12\n\n           C. PHYSICAL SECURITY DEFICIENCIES EXIST .............................................. 14\n\n           D. THE POLICY FOR NOTIFYING OFFICE OF THE INSPECTOR GENERAL (OIG)\n              OF MISSING PROPERTY NEEDS IMPROVEMENT ....................................... 17\n\n    IV.      AGENCY COMMENTS ........................................................................ 19\n    V.       CONSOLIDATED LIST OF RECOMMENDATIONS ............................ 21\n\n\n    APPENDIX\n           A.     SCOPE AND METHODOLOGY ..................................................... 23\n\n\n\n\n                                                      v\n\x0c                           Audit of NRC\xe2\x80\x99s Non-Capitalized Property\n\n\n\n\n[Page intentionally left blank.]\n\n\n\n\n               vi\n\x0c                                                                  Audit of NRC\xe2\x80\x99s Non-Capitalized Property\n\n\n\nI.    BACKGROUND\n\n                 The NRC has an established property management program to\n                 account for and control property. Property management\n                 encompasses both capitalized and non-capitalized property. This\n                 report focuses on NRC\xe2\x80\x99s program to account for and control non-\n                 capitalized property. The planned growth in NRC\xe2\x80\x99s FTE\xe2\x80\x99s,6 coupled\n                 with anticipated office relocations, heightens the importance of\n                 having the right equipment, at the right place, with the right person,\n                 at the right time, to facilitate efficient and effective mission\n                 accomplishment. As of June 2006, non-capitalized property was\n                 comprised of almost 16,000 pieces of equipment costing\n                 approximately $26 million.\n\n                 Guidance\n\n                 Certain rules and regulations are in place to ensure that Federal\n                 property is safeguarded, properly accounted for, and adequately\n                 controlled to reduce the potential for waste, fraud, and\n                 mismanagement. Below is a list of key guidance pertinent to\n                 NRC\xe2\x80\x99s accounting and control of non-capitalized property:\n\n                      \xc2\xbe The Office of Management and Budget (OMB) Circular\n                        A-123, Revised, Management\'s Responsibility for Internal\n                        Control,\n\n                      \xc2\xbe The Joint Financial Management Improvement Program\n                        (JFMIP),7 Property Management Systems Requirements,\n                        and\n\n                      \xc2\xbe NRC Management Directive 13.1, Property Management,\n                        revised January 14, 2002 (MD 13.1).\n\n\n\n\n6\n The agency plans to increase the number of FTEs by 228 over the FY 2007 level by the end of\nFY 2008.\n7\n JFMIP is a joint undertaking of OMB, the Government Accountability Office, the Department of the\nTreasury, and the Office of Personnel Management, to work in cooperation with each other and with other\nagencies to improve financial management practices throughout the government.\n\n                                                    1\n\x0c                                                                                 Audit of NRC\xe2\x80\x99s Non-Capitalized Property\n\n\n\n                 Responsibility for Property Management\n\n                 The Property Branch, Division of Facilities and Security, is currently\n                 responsible for developing and administering the agency\'s property\n                 management program, including the SPMS. Since March 1999,\n                 NRC management has moved this responsibility to three different\n                 divisions (see following chart). In addition to changing the reporting\n                 lines, the Property Branch has experienced a turnover of both the\n                 division director and the branch chief positions since\n                 December 2005. In FY 2006, the estimated total resources\n                 dedicated to administering NRC\'s property management program\n                 was approximately $923,000 and 5.25 FTEs.8\n\n                                    Responsibility for Property Management\n\n\n                             Division of Contracts and\n                              Property Management\n                                      (DCPM)\n\n\n\n\n                                                                              Division of Administrative\n                                                                                   Services (DAS)\n\n\n\n\n                                                                                                               Division of\n                                                                                                                Facilities\n                                                                                                                  and\n                                                                                                                Security\n                                                                                                                 (DFS)\n\n\n\n\n                                                           Time from 3/15/1999 to Present\n\n                 3/15/1999                               6/30/2002                                         12/25/2005 Present\n\n\n                 As of May 10, 2006, 71 property custodians and 36 alternate\n                 property custodians, located in individual NRC offices, assist the\n                 Property Branch with property management functions. After the\n                 Property Branch assigns property to their accounts, property\n                 custodians and their alternates manage and control those accounts\n                 by \xe2\x80\x94\n\n                      \xc2\xbe Updating records,\n                      \xc2\xbe Recovering property assigned to separating employees,\n                      \xc2\xbe Assisting in locating missing property,\n\n\n\n\n8\n This total does not include property custodian and alternate property custodian salaries and overhead\nexpenses.\n                                                          2\n\x0c                                                                        Audit of NRC\xe2\x80\x99s Non-Capitalized Property\n\n\n\n                       \xc2\xbe Conducting annual reviews of their property accounts, and\n                       \xc2\xbe Participating in official biennial inventories.\n\n                   Property System Replaced\n\n                   In June 2005, SPMS replaced the Property and Supply System as\n                   the agency\xe2\x80\x99s official property management system. MD 13.1\n                   requires that SPMS contain records for all sensitive equipment,9\n                   regardless of cost, and accountable non-sensitive equipment10\n                   having an acquisition cost of at least $500. Non-sensitive items\n                   with an acquisition cost of at least $500 and all sensitive items are\n                   assigned a unique blue tag number. Non-sensitive items with an\n                   acquisition cost below $500 are assigned a red tag and generally\n                   are not recorded in SPMS. The following chart illustrates the\n                   percent of items that are sensitive and non-sensitive.\n\n\n                                       NRC Non-capitalized Property Count\n                                         by Sensitive vs. Non-sensitive*\n                                                               (n=15,975)\n\n\n\n                                              Sensitive\n                                                26%\n\n\n\n\n                                                                              Nonsensitive\n                                                                                 74%\n\n\n                              As of 6/13/2006\n                              *Excludes OIG and the\n                               Technical Training Center\n\n\n\n                   Inventories\n\n                   MD 13.1 requires NRC to conduct physical inventories of property\n                   every two years. The Property Branch is required to reconcile all\n                   discrepancies for missing items with SPMS once an inventory is\n                   completed. The Property Branch reports the results to NRC senior\n\n9\n  MD 13.1, defines sensitive property as property that is desirable for personal use and can be easily\nremoved from the premises (e.g., laptop computers, cell phones, etc.).\n10\n   MD 13.1, defines accountable property as any equipment, excluding furniture and supplies, that is\ncomplete in itself, is of a durable nature with an expected life of 2 years or more, does not ordinarily lose its\nidentity or becomes a component of another article, and is not consumed in its useful life. Accountable\nproperty is classified either as \xe2\x80\x9csensitive\xe2\x80\x9d or as \xe2\x80\x9cnon-sensitive.\xe2\x80\x9d\n                                                           3\n\x0c                                               Audit of NRC\xe2\x80\x99s Non-Capitalized Property\n\n\n\n          management after reconciliation. In addition, property custodians\n          are required to conduct an annual review of their property accounts\n          to certify that the SPMS records are accurate.\n\n\nII.   PURPOSE\n\n          This audit was conducted to determine whether NRC has\n          established and implemented an effective system of management\n          controls for maintaining accountability and control of non-\n          capitalized property.\n\n\n\n\n                                    4\n\x0c                                                Audit of NRC\xe2\x80\x99s Non-Capitalized Property\n\n\n\nIII. FINDINGS\n\n          While NRC\xe2\x80\x99s property management policies for non-capitalized\n          property provide a framework to control and safeguard property, the\n          program, as implemented, needs improvement to provide effective\n          control. Specifically:\n\n             A. SPMS data is not accurate;\n\n             B. Controls for IT property that may contain PII are lacking;\n\n             C. Physical security deficiencies exist; and\n\n             D. The policy for notifying OIG of missing property needs\n                improvement.\n\n          A rigorous effort by NRC senior management is needed to initiate\n          and sustain improvements to the property management program.\n\n   A.   SPMS Data is Not Accurate\n\n          Although the agency uses SPMS to maintain property records,\n          SPMS data is not accurate. This condition exists primarily because\n          the property management program lacks adequate accountability.\n          Without accurate and reliable records for non-capitalized property,\n          NRC is subject to loss of property and information, inefficient use of\n          staff time, and potential unnecessary expense.\n\n          Guidance\n\n          The Government Accountability Office (GAO) Standards for Internal\n          Control in the Federal Government requires agencies to: (1) record\n          transactions promptly and (2) periodically inventory property and\n          compare results to property records. NRC guidance requires staff\n          to maintain accurate personal property records. Additionally,\n          JFMIP Property Management Systems Requirements call for the\n          property management system to capture:\n\n                    \xc2\x83   property identification number,\n                    \xc2\x83   location,\n                    \xc2\x83   current user,\n                    \xc2\x83   identity of property custodian, and\n                    \xc2\x83   accountable organization.\n\n\n                                        5\n\x0c                                                                 Audit of NRC\xe2\x80\x99s Non-Capitalized Property\n\n\n\n                 SPMS Contains Inaccurate Data\n\n                 Various tests of SPMS records performed by OIG during this audit\n                 revealed that SPMS contains inaccurate data. Specifically,\n                 location/sub-location information is inaccurate, SPMS contained\n                 errors on firearms location/sub-location and serial numbers, and\n                 SPMS shows property assigned to separated employees.\n\n                 a.     SPMS Location/Sub-Location Information is Inaccurate\n\n                 SPMS does not accurately reflect the location and sub-location11 for\n                 many non-capitalized property items. The results of OIG\xe2\x80\x99s\n                 unannounced physical inventory of a statistical random sample of\n                 non-capitalized property at NRC Headquarters, Region III, and\n                 Region IV are summarized in the following table.12\n\n                                                     Error Rates\n\n                                                    The Percent of Errors             The Percent of Errors\n                          Percent of Errors          Could be as Low as                Could be as High as\n     Headquarters              37.5%                       31.58%                            43.52%\n     Region III                 6.1%                         .3%                             11.82%\n     Region IV                 17.1%                       8.31%                             25.97%\n\n                 Reference to the first line of the table reveals that there was a\n                 37.5 percent error rate for headquarters\xe2\x80\x99 location/sub-location data\n                 in SPMS. We can project the sample results to all of headquarters\n                 and say, with 95 percent confidence, that the location/sub-location\n                 error rate could be as low as 31.58 percent and as high as 43.52\n                 percent. The table reflects the sample results and 95 percent\n                 confidence for Regions III and IV as well.13 The cumulative\n                 acquisition cost associated with the high-end of the projection is\n                 $7.42 million at headquarters, and over $8 million for all three\n                 locations.\n\n\n\n\n11\n   Sub-location means the room or cubicle designation within a building.\n12\n   OIG requested that the agency perform follow-up effort to locate the items identified as missing,\nas a result of our unannounced physical inventory, and correct SPMS.\n13\n   Subsequent to OIG\xe2\x80\x99s sample physical inventory, personnel from Regions III and IV located the missing\nproperty for OIG auditors. Reportedly, Region IV personnel updated SPMS location/sub-location information\naccordingly.\n                                                   6\n\x0c                                                                 Audit of NRC\xe2\x80\x99s Non-Capitalized Property\n\n\n\n                   b.    SPMS Contained Errors on Firearms Location/Sub-\n                         Location and Serial Numbers\n\n                   OIG found that SPMS contains inaccurate data for NRC firearms.\n                   During an unannounced physical verification to locate 48 Office of\n                   Investigations\xe2\x80\x99 firearms,14 OIG found incorrect information recorded\n                   in SPMS.\n\n                   Specifically, of the 48 firearms, SPMS showed 17 firearms as being\n                   located at headquarters. Only 2 of these 17 firearms were actually\n                   located at headquarters. A third firearm located at headquarters\n                   was shown in SPMS as being located in Region I. Subsequently,\n                   based on information contained in Office of Investigations\xe2\x80\x99 records,\n                   OIG accounted for the remaining 45 firearms. OIG auditors\n                   accounted for all 48 firearms included in our test.\n\n                   OIG also noted that the serial numbers for 13 of the 48 firearms\n                   contained typographic errors. Because of the highly sensitive\n                   nature of this property, the recording of accurate serial numbers for\n                   firearms is particularly important.\n\n                   c.    SPMS Shows Property Assigned to Separated Employees\n\n                   MD 13.1 requires that \xe2\x80\x9c\xe2\x80\xa6all Government-furnished property \xe2\x80\xa6\n                   assigned to NRC employees be returned [to the property custodian]\n                   or accounted for at least 10 working days before separation, and all\n                   items must be returned before clearance from NRC.\xe2\x80\x9d MD 13.1\n                   also requires property custodians to reassign sensitive equipment\n                   before the Property Branch can approve separation clearance for\n                   an individual.\n\n                   OIG\xe2\x80\x99s analysis of SPMS records revealed that, as of\n                   August 11, 2006, 39 (or 10.7 percent) of 366 employees who\n                   separated between January 1, 2005, and June 30, 2006, had a\n                   cumulative total of 106 items with a total acquisition cost of\n                   $110,188 still assigned to them. Of the 39 separated employees,\n                   six had sensitive property assigned, consisting of four laptop\n                   computers, four cell phones, and three cameras. One separated\n                   Office of Nuclear Security and Incident Response employee had 17\n                   items assigned to his name with a total acquisition cost of $34,710.\n                   In some cases, property remained assigned to separated\n                   employees for as long as 18 months beyond their effective date of\n                   separation from the agency. OIG requested that the agency\n                   perform follow-up effort to locate these items and correct SPMS.\n\n\n14\n     The 48 firearms were handguns, 16 manufactured by Smith & Wesson, 32 manufactured by Glock.\n                                                   7\n\x0c                                                                  Audit of NRC\xe2\x80\x99s Non-Capitalized Property\n\n\n\n                 Reasons for Inadequate Property Management\n\n                 SPMS contains inaccurate property records because the property\n                 management program lacks adequate accountability and the\n                 threshold for accounting and controlling non-sensitive property is\n                 too low.\n\n                 Inadequate Accountability\n\n                 OIG believes the following areas contribute to the lack of\n                 accountability:\n\n                          Reorganizations and Changes in Management\n\n                 Frequent reorganizations and changes in management in the\n                 Property Branch do not create an effective control environment that\n                 fosters monitoring and continuous process improvements.\n                 Management continuity is critical to achieve focused and sustained\n                 program improvements.\n\n                          Senior Executives\n\n                 Senior Executives\xe2\x80\x99 performance plans and appraisals do not reflect\n                 accountability for property management. Accordingly, little\n                 attention and low priority are given to the property management\n                 function.\n\n                          Property Custodians\n\n                 Property custodian duties and responsibilities are essential to\n                 maintaining an effective, efficient, and accurate property\n                 management program. However, property custodians\xe2\x80\x99 elements\n                 and standards generally do not reflect property management duties\n                 and responsibilities,15 despite the fact that the Director, Office of\n                 Administration (ADM), issued a memorandum, dated\n                 September 25, 2001, requesting that position descriptions be\n                 updated appropriately. ADM reissued the memorandum on\n                 October 10, 2006.\n\n                          Performance Measures\n\n                 NRC\xe2\x80\x99s performance measures for property management evaluate\n                 performance after inventory reconciliation activities. Measuring the\n                 accuracy after reconciliation does not provide transparency\n\n15\n  OIG found that only 24 out of 69 property custodians\xe2\x80\x99 elements and standards included property\ncustodian duties as of August 2006.\n                                                    8\n\x0c                                                                Audit of NRC\xe2\x80\x99s Non-Capitalized Property\n\n\n\n                 regarding the property custodians\xe2\x80\x99 performance of maintaining\n                 accurate SPMS records. This does not enable effective monitoring\n                 of program performance, accuracy, or easy identification of\n                 program improvements.\n\n                         Property Custodian Training\n\n                 Property custodians are not required to take formal periodic\n                 training. Instead, they are provided an SPMS Users Guide and\n                 advised to call the Property Branch, if needed. The Property\n                 Branch conducts training on a one-on-one basis upon request. The\n                 effective accounting and control of non-capitalized property relies\n                 heavily on the performance of property custodians, therefore, it is\n                 critical that property custodians receive formal periodic training.\n\n                 Reporting Threshold is Too Low\n\n                 The threshold for recording accountable non-sensitive property in\n                 SPMS is $500. There are 4,485 non-sensitive items with an\n                 approximate acquisition cost of $2.2 million currently recorded in\n                 SPMS, with a value between $500 and $1,000. Property\n                 custodians\xe2\x80\x99 recording and monitoring these inexpensive items takes\n                 time away from maintaining accurate and reliable property records\n                 for sensitive and more expensive items. OIG contacted other\n                 Federal agencies16 and learned that their threshold for recording\n                 accountable property in their respective property management\n                 systems ranged from $50 - $5,000. Raising NRC\xe2\x80\x99s threshold for\n                 reporting accountable non-sensitive property in SPMS from $500 to\n                 $1,000 would reduce the number of items tracked in SPMS by 37\n                 percent (72 percent minus 35 percent) while still accounting for 84\n                 percent of the dollar value of property that is both non-capitalized\n                 and non-sensitive (see the following chart).\n\n\n\n\n16\n  Other Federal agencies contacted were the Small Business Administration, National Oceanic and\nAtmospheric Administration, and the Office of Personnel Management.\n                                                  9\n\x0c                                                                                  Audit of NRC\xe2\x80\x99s Non-Capitalized Property\n\n\n\n                                         Impact of Accountable Thresholds on SPMS17\n\n                                              100%   100%\n\n                                  100%                               93%\n\n                                   90%                                               84%\n                                                                                                       78%\n                                   80%                      72%                                                        73%\n\n                                  70%\n                   % of Current   60%\n                                  50%\n                                                                            35%\n                                  40%\n                                                                                              26%\n                                  30%                                                                          21%\n\n                                  20%\n                                  10%\n                                   0%\n                                         Current Database   \xe2\x89\xa5 $500         \xe2\x89\xa5 $1000           \xe2\x89\xa5 $1500         \xe2\x89\xa5 $2000\n\n                                                                                                             # Items as % of Current\n                                                                                                             Acq $ as % of Current\n\n\n\n\n                 Risk of Loss of Property and Information\n\n                 Accurate and reliable information on the location and sub-location\n                 of property is essential for NRC to assure the optimum use of\n                 property and the efficient use of staff time. The high level of errors\n                 found in SPMS combined with property assigned to separated\n                 employees:\n\n                                          \xc2\xbe Increases the risk of loss of property and information,\n                                          \xc2\xbe Results in inefficient use of staff time, and\n                                          \xc2\xbe May result in unnecessary expense.\n\n                 Recommendations\n\n                 OIG recommends that the Executive Director for Operations:\n\n                 1.                  Incorporate responsibility for property management into the\n                                     Senior Executive Service Performance Plan and Appraisal.\n\n                 2.                  Incorporate property management duties and responsibilities\n                                     into all property custodian and alternate property custodian\n                                     performance evaluations.\n\n                 3.                  Develop and implement performance measures to provide\n                                     transparency of inventory results immediately after the\n                                     physical inventory is taken.\n\n17\n  The number of items and acquisition costs taken from SPMS and used as the basis for the chart excludes\ncapitalized property and sensitive property.\n                                                                  10\n\x0c                                     Audit of NRC\xe2\x80\x99s Non-Capitalized Property\n\n\n\n4. Provide formal periodic mandatory property management\n   training to property custodians and their alternates.\n\n5. Raise the threshold for recording non-sensitive property in\n   SPMS to $1,000.\n\n\n\n\n                          11\n\x0c                                                                  Audit of NRC\xe2\x80\x99s Non-Capitalized Property\n\n\n\n      B.     Controls for Information Technology Property That May Contain\n             Personally Identifiable Information Are Lacking\n\n                 Although, NRC has initiated improvements for protecting PII as\n                 required by OMB and NRC guidance,18 not all reports of potential\n                 releases of PII are reported to the Office of Information Services\n                 (OIS) as required. This condition exists because a control is\n                 lacking on NRC Form 395, \xe2\x80\x9cReport of Property for Survey,\xe2\x80\x9d to flag\n                 missing property capable of storing PII and requiring coordination\n                 with the OIS. Without this critical internal control, NRC is at risk of\n                 not detecting potential or actual releases of PII, and of not\n                 mitigating the damage caused by such releases.\n\n                 As of March 2006, NRC staff had not found 25 items capable of\n                 storing PII identified as missing during the FY 2005 biennial\n                 inventory. However, the staff filed no reports of potential releases\n                 of PII to OIS. OIG requested that the agency perform follow-up\n                 effort to locate these items.\n\n                 While the Agency has increased efforts to protect PII, these efforts\n                 do not include improving the process for reporting missing IT\n                 property that may contain PII. NRC Form 395 does not include a\n                 field to alert agency personnel about a possible release of PII due\n                 to missing IT devices such as laptops, personal digital assistants,\n                 and cell phones. Currently, Form 395 preparers are not required to\n                 report \xe2\x80\x94\n\n                      \xc2\xbe Whether missing IT property contains/may contain PII, or\n                      \xc2\xbe Whether OIS has been alerted, as warranted.\n\n                 Additionally, in instances involving missing IT property, MD 13.1\n                 procedures for reporting the loss or theft does not reference\n                 MD 12.5, NRC Automated Information Security Program, and does\n                 not include procedures for coordinating with the OIS.\n\n                 Without adequate controls for IT property that may contain PII,\n                 NRC is at risk of not detecting potential or actual releases of PII\n                 and of not mitigating the damage caused by such releases.\n\n\n\n\n18\n   OMB guidance dated June 23, 2006, memorandum (M-06-16), "Protection of Sensitive Agency\nInformation," and Chairman Klein\xe2\x80\x99s memorandum dated July 26, 2006, "Protection of Personal Privacy\nInformation." NRC is required to ensure that any files or images that may contain PII are adequately\nprotected from unauthorized access.\n\n                                                   12\n\x0c                                   Audit of NRC\xe2\x80\x99s Non-Capitalized Property\n\n\n\nRecommendations\n\nOIG recommends that the Executive Director for Operations:\n\n   6. Modify NRC Form 395 to include a field for reporting\n      instances to OIS when missing NRC property contains or\n      may contain personally identifiable information.\n\n   7. Modify Management Directive 13.1, \xe2\x80\x9cProperty Management,\xe2\x80\x9d\n      to reference, where applicable, Management Directive 12.5,\n      \xe2\x80\x9cNRC Automated Information Security Program,\xe2\x80\x9d to include\n      procedures for coordinating with OIS regarding missing\n      property that contains or may contain PII.\n\n   8. Issue interim guidance to accomplish the intent of\n      Recommendation 7, pending revision of Management\n      Directive 13.1.\n\n\n\n\n                        13\n\x0c                                                                  Audit of NRC\xe2\x80\x99s Non-Capitalized Property\n\n\n\n         C.    Physical Security Deficiencies Exist\n\n                   Four rooms, containing equipment vital to the continuity of agency\n                   operations and valued in excess of $1 million, were found\n                   unsecured during OIG\xe2\x80\x99s unannounced sample inventory at NRC\'s\n                   Headquarters. GAO guidance19 requires that vulnerable assets\n                   must be safeguarded to prevent loss or unauthorized use.\n                   Unsecured rooms, caused by lack of due care exercised by\n                   employees/contractors, could lead to:\n\n                       \xe2\x80\xa2    Interruptions to agency operations,\n                       \xe2\x80\xa2    Loss of property and/or PII, and\n                       \xe2\x80\xa2    Unnecessary expense.\n\n                   Physical Security Guidance\n\n                   MD 12.5, NRC Automated Information Security\n                   Program, requires controls be in place to protect\n                   NRC buildings, facilities, and related supporting\n                   infrastructures that house essential resources, such\n                   as data centers, server rooms, rooms that contain\n                   telecommunications equipment and wiring closets.\n                   For instance, as shown in the photograph, certain\n                   rooms containing servers and/or\n                   telecommunications equipment have multiple locks.\n\n                   These controls protect against potential threats to\n                   the physical environment and are intended to help prevent:\n\n                       \xe2\x80\xa2    interruptions in computer services,\n                       \xe2\x80\xa2    physical damage,\n                       \xe2\x80\xa2    unauthorized disclosure of information,\n                       \xe2\x80\xa2    loss of control over system integrity, and\n                       \xe2\x80\xa2    theft.\n\n                   In addition, the directive provides guidance on protection against\n                   insider threats posed by disgruntled employees or contractors who\n                   may attempt to:\n\n                        \xe2\x80\xa2   intentionally disrupt computer operations,\n\n19\n     GAO Standards for Internal Control in the Federal Government, November 1999.\n                                                    14\n\x0c                                       Audit of NRC\xe2\x80\x99s Non-Capitalized Property\n\n\n\n    \xe2\x80\xa2   gain unauthorized access to network resources or services,\n        or\n    \xe2\x80\xa2   perform other related unauthorized activities.\n\nPhysical Security Observations\n\nDuring this audit, OIG found four rooms at headquarters with\ncomputer and telecommunication equipment unsecured. Many of\nthese items are capable of storing PII. The initial acquisition cost of\nthe 144 items reported in SPMS as being located in the four rooms\nwas in excess of $1 million.\n\nOne of the four rooms found unsecured\nis labeled, "Authorized Personnel Only,"\nand is protected by a card reader,\nkeypad, and door lock (see photo).\n\nDuring the physical verification of\nproperty, OIG auditors gained entry to\nthis room through an unlocked door\n(i.e., no card or key code was needed)\nand the room was unattended. A\nsystem query by OIG found that this\nroom contained 40 items (primarily high\nvalue computer equipment) with an\nacquisition cost of $519,168.\n\nAnother unsecured room contained system units and\ntelecommunications equipment. The room was protected by a\npush button deadbolt lock and two keyed locks; however, OIG\nauditors found the door propped open. A system query found that\nthis room contained 17 items with an initial acquisition cost of\n$116,198.\n\nAdditionally, as shown in the\nphotograph, auditors were able to\nenter another unsecured and\nunattended room containing\nsystem units and other computer\nequipment. The room was not\nprotected by a card reader and the\ndoor lock was broken. A system\nquery revealed that this room\ncontained 63 items with an initial\nacquisition cost of $367,935.\nSPMS listed 2 of the 63 items as\nlaptop computers.\n                           15\n\x0c                                      Audit of NRC\xe2\x80\x99s Non-Capitalized Property\n\n\n\nAdditionally, three headquarters telephone equipment closets were\nidentified as unsecured and unattended in a prior OIG audit report,\nOIG-05-A-13, Audit of NRC\xe2\x80\x99s Telecommunications Program, dated\nJune 7, 2005.\n\nBased on these observations, OIG concludes that employees\nand/or contractors did not exercise due care.\n\nImpact on Agency Operations\n\nIT equipment left unattended and unsecured is more likely to be\nlost or stolen risking a potential information security breach. In\nrecent months, media reports of laptop computer thefts from\nvarious Federal agencies has raised the public\xe2\x80\x99s sensitivity to risks\nassociated with the loss of PII. Without due care by employees and\ncontractors to assure that rooms containing IT equipment are\nappropriately secured, NRC risks a possible release or theft of PII\npertaining to employees, licensees, or other stakeholders. A\nrelease or theft of PII could result in significant damage to an\nindividual\xe2\x80\x99s identity and could compromise the public\xe2\x80\x99s confidence\nin the agency.\n\nUnauthorized access to agency computer or telecommunication\nsystems could lead to potential interruptions of agency operations\ndue to intentional or accidental damage. Unsecured rooms leave\nNRC vulnerable to intentional damage (i.e. cutting of cables,\nbreaking components, etc.) by a disgruntled employee or contractor\nor accidental damage by someone that may mistake the space to\nbe a storage area.\n\nRecommendations\n\nOIG recommends that the Executive Director for Operations:\n\n9.   Reemphasize the importance of physical security to both\n     employees and contractors using means such as yellow\n     announcements or posters.\n\n10. Periodically survey NRC buildings to ensure that physical\n    security measures (i.e. locks, latches, door closers, badge\n    readers, etc.) are functioning as intended for rooms containing\n    mission critical equipment.\n\n\n\n\n                          16\n\x0c                                              Audit of NRC\xe2\x80\x99s Non-Capitalized Property\n\n\n\nD.   Policy for Notifying OIG of Missing Property Needs Improvement\n\n        Although MD 13.1 requires OIG notification for incidents involving\n        suspected theft of NRC property, in OIG\xe2\x80\x99s opinion, the emphasis on\n        \xe2\x80\x9csuspected\xe2\x80\x9d theft has caused staff to frequently characterize\n        missing property as simple loss rather than theft. While it is\n        commonly understood that the timeliness of reporting missing\n        property has a direct correlation to the likelihood of recovering it,\n        OIG received few security incident reports regarding missing non-\n        capitalized property in recent years. Unless OIG is notified of\n        incidents of missing accountable property, the opportunity for OIG\n        and other law enforcement officials to assist the agency with\n        recovering property may be missed and potential wrongdoing may\n        go undetected.\n\n        During FYs 2005 and 2006, agency staff filed approximately 130\n        NRC Form 395s for missing property. However, during this same\n        two-year period, staff filed only two security incident reports for\n        suspected theft of NRC property, resulting in OIG notification.\n\n        Since the prevailing attitude for missing property emphasizes loss\n        rather than suspected theft, OIG may not have received all reports\n        of missing property that warrant investigation. Unless NRC notifies\n        the OIG Assistant Inspector General for Investigations of all\n        instances requiring Form 395s in a timely manner \xe2\x80\x94\n\n                  \xc2\xbe Cases that may warrant OIG investigation may go\n                    undetected, and\n\n                  \xc2\xbe The agency compromises the likelihood of recovering\n                    missing property.\n\n        Recommendations\n\n        OIG recommends that the Executive Director for Operations:\n\n        11. Collaborate with OIG to modify NRC Management Directive\n            13.1, \xe2\x80\x9cProperty Management,\xe2\x80\x9d to develop a process for\n            notifying the OIG Assistant Inspector General for\n            Investigations of all reports (i.e., Form 395s) of missing\n            sensitive property (regardless of value) and missing non-\n            sensitive property with a current value of at least $1,000.\n\n        12. Issue interim guidance to accomplish the intent of\n            Recommendation 11, pending revision of Management\n            Directive 13.1.\n\n                                  17\n\x0c                                       Audit of NRC\xe2\x80\x99s Non-Capitalized Property\n\n\n\nSummary\n\nAlthough it is NRC\xe2\x80\x99s policy \xe2\x80\x9cto manage and use property and\nsupplies in its possession or its contractors\xe2\x80\x99 possession effectively\nand efficiently and to provide sufficient controls to deter or eliminate\nloss through fraud, waste, or misuse\xe2\x80\x9d; the program, as\nimplemented, needs improvement. NRC\xe2\x80\x99s property management\nprogram lacks adequate controls to assure that\xe2\x80\x94\n\n   \xc2\xbe SPMS records are accurate,\n\n   \xc2\xbe Staff alert OIS when IT equipment capable of storing PII is\n     missing,\n\n   \xc2\xbe Employees and contractors exercise due care to physically\n     secure rooms containing expensive equipment important to\n     the continuity of NRC operations, and\n\n   \xc2\xbe OIG Assistant Inspector General for Investigations is\n     appropriately notified of missing property.\n\nIn light of NRC\xe2\x80\x99s imminent growth in FTEs, and anticipated office\nrelocations, it is increasingly important that NRC maintain effective\nand efficient accounting and control over non-capitalized property.\nTherefore, now is an opportune time for NRC management to\nincrease accountability for, and improve control of, the property\nmanagement program. An effective and efficient property\nmanagement program is essential to assure that staff have the\nproperty needed to carry out their duties and assure optimum\nutilization of staff time, property and fiscal resources.\n\n\n\n\n                           18\n\x0c                                            Audit of NRC\xe2\x80\x99s Non-Capitalized Property\n\n\n\nIV. AGENCY COMMENTS\n\n       At an exit conference held on June 26, 2007, agency managers\n       generally agreed with the audit findings and recommendations and\n       provided comments concerning the draft audit report. We modified\n       the report in response to the comments, as we deemed\n       appropriate. NRC reviewed these modifications and opted not to\n       submit formal written comments for the final version of this report.\n\n\n\n\n                                 19\n\x0c                           Audit of NRC\xe2\x80\x99s Non-Capitalized Property\n\n\n\n\n[Page intentionally left blank.]\n\n\n\n\n              20\n\x0c                                             Audit of NRC\xe2\x80\x99s Non-Capitalized Property\n\n\n\nV. CONSOLIDATED LIST OF RECOMMENDATIONS\n\n        OIG recommends that the Executive Director for Operations:\n\n        1. Incorporate responsibility for property management into the\n           Senior Executive Service Performance Plan and Appraisal.\n\n        2. Incorporate property management duties and responsibilities\n           into all property custodian and alternate property custodian\n           performance evaluations.\n\n        3. Develop and implement performance measures to provide\n           transparency of inventory results immediately after the physical\n           inventory is taken.\n\n        4. Provide formal periodic mandatory property management\n           training to property custodians and their alternates.\n\n        5. Raise the threshold for recording non-sensitive property in\n           SPMS to $1,000.\n\n        6. Modify NRC Form 395 to include a field for reporting instances\n           to OIS when missing NRC property contains or may contain\n           personally identifiable information.\n\n        7. Modify Management Directive 13.1, \xe2\x80\x9cProperty Management,\xe2\x80\x9d to\n           reference, where applicable, Management Directive 12.5, \xe2\x80\x9cNRC\n           Automated Information Security Program,\xe2\x80\x9d to include\n           procedures for coordinating with OIS regarding missing property\n           that contains or may contain PII.\n\n        8. Issue interim guidance to accomplish the intent of\n           Recommendation 7, pending revision of Management\n           Directive 13.1.\n\n        9. Reemphasize the importance of physical security to both\n           employees and contractors using means such as yellow\n           announcements or posters.\n\n       10. Periodically survey NRC buildings to ensure that physical\n           security measures (i.e. locks, latches, door closers, badge\n           readers, etc.) are functioning as intended for rooms containing\n           mission critical equipment.\n\n\n\n\n                                  21\n\x0c                                     Audit of NRC\xe2\x80\x99s Non-Capitalized Property\n\n\n\n11. Collaborate with OIG to modify NRC Management Directive\n    13.1, \xe2\x80\x9cProperty Management,\xe2\x80\x9d to develop a process for notifying\n    the OIG Assistant Inspector General for Investigations of all\n    reports (i.e., Form 395s) of missing sensitive property\n    (regardless of value) and missing non-sensitive property with a\n    current value of at least $1,000.\n\n12. Issue interim guidance to accomplish the intent of\n    Recommendation 11, pending revision of Management\n    Directive 13.1.\n\n\n\n\n                          22\n\x0c                                                                Audit of NRC\xe2\x80\x99s Non-Capitalized Property\n\n\n                                                                                           Appendix A\nSCOPE AND METHODOLOGY\n\n                 To accomplish the audit objective, OIG identified and analyzed\n                 pertinent laws, regulations, authoritative guidance, NRC policies\n                 and procedures, and prior relevant NRC OIG reports. OIG also\n                 obtained and analyzed information from three other Federal\n                 agencies20 related to their property program best practices.\n\n                 Working with NRC\xe2\x80\x99s statistician, OIG designed and implemented a\n                 statistical sample to test the accuracy of location/sub-location\n                 information of property records in SPMS for headquarters, Region\n                 III and Region IV. The results of the sample were projected to the\n                 universe of each of the three locations, with a 95 percent\n                 confidence level.\n\n                 In addition, OIG reviewed the Office of Administration\xe2\x80\x99s property\n                 program metrics and performed various tests of internal controls\n                 associated with non-capitalized property recorded in SPMS.\n\n                 OIG also conducted interviews with selected headquarters and\n                 regional officials to:\n\n                     \xc2\xbe Gain an understanding of NRC\xe2\x80\x99s property management\n                       operations;\n\n                     \xc2\xbe Determine current issues, problems, or known deficiencies;\n                       and\n\n                     \xc2\xbe Assess internal controls.\n\n                 This audit did not include a review of property assigned to OIG,21\n                 NRC\xe2\x80\x99s Technical Training Center,22 NRC\xe2\x80\x99s Warehouse,23 or\n                 Department of Energy Laboratories.24 OIG conducted this audit in\n                 accordance with Generally Accepted Government Auditing\n                 Standards from May 2006 through March 2007.\n\n\n\n20\n   OIG obtained and analyzed information from the Office of Personnel Management, the National Oceanic\nand Atmospheric Administration, and the Small Business Administration.\n21\n   Property assigned to OIG was removed from the scope because the OIG cannot audit itself.\n22\n   Property management at NRC\xe2\x80\x99s Technical Training Center was excluded from the scope of this audit\nbecause it was included in the 2007 Audit of NRC\xe2\x80\x99s Technical Training Center.\n23\n   Property management at NRC\xe2\x80\x99s Warehouse was excluded from this audit because OIG plans to conduct\nan audit on the Warehouse in the future.\n24\n   Oversight of property purchased with NRC funds by Department of Energy Laboratories was excluded\nfrom this audit because OIG plans to perform an audit of the placement and monitoring of work at DOE\nLaboratories that will include property management.\n                                                  23\n\x0c                                    Audit of NRC\xe2\x80\x99s Non-Capitalized Property\n\n\n\nThe major contributors to this report were Steven Zane, Team\nLeader; Debra Lipkey, Audit Manager; Kathleen Stetson, Audit\nManager; Michael Steinberg, Senior Auditor; Terri Cooper, Senior\nAuditor; Robert Woodward, Auditor and Christopher Lange,\nManagement Analyst.\n\n\n\n\n                         24\n\x0c'